Microsoft Forefront Endpoint Protection 2010

Overview

Microsoft Forefront Endpoint Protection 2010 is a software program developed by Microsoft. The most common release is 2.0.657.0, with over 98% of all installations currently using this version. During setup, the program creates a startup registration point in Windows in order to automatically start when any user boots the PC. A scheduled task is added to Windows Task Scheduler in order to launch the program at various scheduled times (the schedule varies depending on the version). When installed, it will add a context menu handler to the Windows shell in order to provide quick access to the program. The setup package generally installs about 42 files and is usually about 17.24 MB (18,073,345 bytes). Relative to the overall usage of users who have this installed on their PCs, most are running Windows 7 (SP1) and Windows XP. While about 44% of users of Microsoft Forefront Endpoint Protection 2010 come from the United States, it is also popular in Brazil and United Arab Emirates.

Behaviors exhibited

shellext.dll added to Windows Explorer under the name 'TVCShellExt' with a class of {4E33A7F5-8083-4C08-9D45-C5CED88F5C04}.

Scheduled Task

msseces.exe is scheduled as a task with the class '{F5823251-EA74-4038-A3D5-7CAD55DAB20E}' (runs on registration).

Scheduled Task (Boot/Login)

msseces.exe is automatically launched at startup through a scheduled task named MSC.

Startup File (User Run)

msseces.exe is loaded in the current user (HKCU) registry as an auto-starting executable named 'Microsoft Security Client User Interface' and executes as "C:\Program Files\Microsoft Security Client\msseces.exe".

Startup File (User Run Once)

msseces.exe is loaded once in the current user (HKCU) registry as a startup file name 'Microsoft Security Client' which loads as C:\Program Files\Microsoft Security Client\msseces.exe /UpdateAndQuickScan.

Startup File (All Users Run)

msseces.exe is loaded in the all users (HKLM) registry as a startup file name 'MSSE' which loads as C:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey.